• One of the groups behind Lokibot campaigns used a tunneling service called Ngrok in order to spread the malware through spam emails.
  • A spam mail linked to this campaign impersonates BBVA Banco Continental and contains a malicious Excel attachment which downloads Lokibot.

A recent Lokibot campaign has been spotted, which made use of a tunneling service to spread the malware. According to My Online Security, threat actors behind this campaign leveraged a service known as Ngrok. As claimed on the website, Ngrok reveals servers in NATs and Firewalls over secure tunnels. Hence, the service acted as a direct tunnel or a VPN which the actors exploited to push the malware through spam emails.

Details about the campaign

  • MyOnlineSecurity received a spam mail impersonating the Spanish Bank, BBVA Banco Continental.
  • The email content, written in Spanish, mentions a fake ‘transfer of payments’ and has a malicious XLS file.
  • Once downloaded, the attachment requests to enable macros. If macros are allowed, a Lokibot sample gets downloaded in the system.

Worth noting

My Online Security also discovered that the tunneling service was hosted on Amazon AWS. “The Ngrok service is hosted on Amazon AWS so reporting to them is basically a waste of time because by the time they respond the malware has done its work & vanished and the malware isn’t actually stored anywhere on an Amazon server, just a link or redirect to the malware happens via Amazon AWS,” said the site.

It also suggested that the attackers might be having millions of subdomains spreading malware through the ngrok service.

Cyware Publisher